DataTags Tools

Motivation

SalilVadhan(leadPI),HarvardUniversityPRIVACYTOOLSFORSHARINGRESEARCHDATA

Computational Social ScienceThe potential: massive new sources of data and ease of sharing will revolutionize social science.

The problem: protecting the privacy of data subjects

privacy open data

e.g. NYT 5/21/12 “Troves of Personal Data, Forbidden to Researchers”

privacy

utility traditional approaches(e.g. “stripping PII”)

Challenges for Sharing Sensitive DataComplexity of Law• Thousands of privacy laws in the US alone, at federal,

state, and local levels, usually context-specific: HIPAA, FERPA, CIPSEA, Privacy Act, PPRA, ESRA, …

Difficulty of Deidentification• Stripping “PII” usually provides

weak protections and/or poor utility

Inefficient Process for Obtaining Restricted Data• Can involve months of negotiation between institutions,

original researchers

Sweeney ̀ 97

VisionAnarrayofcomputational,legal,andpolicytoolstomakeprivacy-protectivedata-sharing easierforresearcherswithoutexpertiseinprivacylaw/CS/stats.

Approach: Integrated Privacy ToolsTarget: Data Repositories

Co-PIs&SeniorPersonnel• Kobbi Nissim, co-PI, CRCS & Georgetown • James Honaker, Sr. Researcher, CRCS• Micah Altman, co-PI, MIT• Steve Chong, co-PI, CRCS• Merce Crosas, co-PI, IQSS• Urs Gasser, co-PI, Berkman Klein Center

Tools thathelpgenerateapolicyforyoursensitivedata

thatdefineshowtotransfer,store,access,andusethosedata.

DifferentialPrivacyTool:PSI– APrivatedata-SharingInterface

• General-purpose: applicable to most datasets in repository.• Automated: no differential privacy expert optimizing algorithms

for a particular dataset or application• Tiered access: DP interface for wide access to rough statistical

information, helping users decide whether to apply for access to raw data (cf. Census PUMS vs RDCs)

Goals of PSI

Privacy Budgeting Interface

Integration w/Statistical Tools for Social Science

D

D

http://privacytools.seas.harvard.edu/

web: mercecrosas.com twitter : @mercecrosas IQSS, Harvard University

DataTags LevelsTag Type Description Security Features Access Credentials

Blue PublicClear storage,Clear transmit Open

Green Controlled public Clear storage,Clear transmit

Email- or OAuth Verified Registration

Yellow Accountable Clear storage,Encrypted transmit

Password, Registered, Approval, Click-through DUA

Orange More accountable Encrypted storage, Encrypted transmit

Password, Registered, Approval, Signed DUA

Red Fully accountable Encrypted storage, Encrypted transmit

Two-factor authentication, Approval, Signed DUA

Crimson Maximally restricted Multi-encrypted storage, Encrypted transmit

Two-factor authentication, Approval, Signed DUA

�1

DataTags and their respective policies Sweeney L, Crosas M, Bar-Sinai M. Sharing Sensitive Data with Confidence: The Datatags System.

Technology Science. 2015.

web: mercecrosas.com twitter : @mercecrosas IQSS, Harvard University

The DataTags automated interview …

Data OwnerData User

Data deposit

Deposit license

Legal formalization

Local practices

CMR

formalization

FERPA

formalization

License generation

Data use agreement

Data

Logic rules

License text

Recommended data tag Lic

enses

Conditions for release and deposit

Que

stion

s

Answer

s

Logic rules

Robot Lawyers

BridgingLaw&CSDefinitionsofPrivacy BroaderImpacts

OtherAccomplishments• Latanya Sweeney, co-PI, IQSS• Edoardo Airoldi, co-PI, Harvard Stats Dept• Gary King, co-PI, IQSS • Marco Gaboardi, University of Buffalo• David O’Brien, Sr. Researcher, Berkman Klein

Center

MarcoGaboardi,JamesHonaker,GaryKing,KobbiNissim,JonathanUllman,andSalilVadhan. “PSI(Ψ):aPrivatedataSharingInterface.”PosteratTheoryandPracticeofDifferentialPrivacy(TPDP)andarXiv:1609.04340,2016.

Automated Interviews

DataTags Levels

PersonnelassociatedwithRobotLawyers:• MicahAltmanStephenChong

• AlexandraWood• Obasi Shaw• AaronBembenek• KevinWang

ArguethatDifferentialPrivacySatisfiesFERPAandotherprivacylawsviatwoarguments:

1. TheFERPAprivacystandardisrelevantforanalysescomputedwithDPAlegalargumentsupportedbyatechnicalargument

2. DifferentialprivacysatisfiestheFERPAprivacystandardAtechnicalargumentsupportedbyalegalargumentFERPAallowsdisseminationofde-identifiedinformationà sufficientto

showthatDPanalysesresultinoutcomethatisnotidentifiableExtractamathematicaldefinitionofprivacyfromFERPAandprovidea

mathematicalproofthatDPsatisfiesthisdefinitionK.Nissim,A.Bembenek,A.Wood,M.Bun,M.Gaboardi,U.Gasser,D.O'Brien,TSteinke,andS.Vadhan.2016.“BridgingtheGapbetweenComputerScienceandLegalApproachestoPrivacy.”InPrivacyLawScholarsConference (PLSC),2016.

DataFileDeposit

SensitiveDataset

DirectAccess

PrivacyPreservingAccess

Two-factorAuthentication;SignedDUA

AutomatedInterview

ReviewBoardApproval

RobotLawyers

PSI:DifferentialPrivacyTool

• Infrastructureforresearchinsocialscienceandotherhumansubjectsresearchfields

• Traininginmultidisciplinaryresearch:≈ 100 students,postdocs,internsfromlaw,computerscience,socialscience,statistics

• Policyimpact:WhiteHouseBigDataPrivacyStudy,NationalPrivacyResearchStrategy,NIST800-188DeidentifyingGovernmentDatasets,FederalTradeCommission

• Numerousworkshopsandsymposiaorganized,includingpublicsymposium“PrivacyinaNetworkedWorld”w/700+registrants.

• Newjournal“TechnologyScience”utilizingDataTags

• Open-accesspedagogicalmaterialsondataprivacyformanyaudiences

• Manytheoreticalresultsilluminatingthelimitsofdifferentialprivacy(lowerbounds,algorithms,hardnessresults,attacks).

• Theoreticalandempiricalworkbridgingdifferentialprivacy&statisticalinference(confidenceintervals,hypothesistesting,Bayesianposteriorsampling).

• Frameworkformodernprivacyanalysis:catalogueprivacycontrols,identifyinformationuses,threats,andvulnerabilities,anddesigndataprogramsthataligntheseoverdatalifecycle.